View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0027056 | mantisbt | security | public | 2020-06-21 02:29 | 2020-09-11 09:02 |
Reporter | hanno | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.1.0 | ||||
Target Version | 2.24.2 | Fixed in Version | 2.24.2 | ||
Summary | 0027056: CVE-2020-16266: HTML injection (maybe XSS) via custom field on view_all_bug_page.php | ||||
Description | The content of the filter variable in the view of the view_all_bug_page.php is not filtered, allowing a thirdparty to inject HTML. This would usually be a Cross Site Scripting Vulnerability, but the Content Security Policy header blocks executing scripts. However it might still be possible to achieve XSS by invoking functionality from the bundled javascript libraries. The output should be properly html-escaped. | ||||
Steps To Reproduce |
poc: | ||||
Tags | No tags attached. | ||||
Thanks for the bug report, I'll have a look at it. Did you request a CVE for the issue ? If so, please let us know the ID; otherwise we'll take care of it. How would you like to be credited for the finding ? |
|
Confirmed HTML injection it is ! (and potential XSS if CSP settings allow) |
|
print_filter_values_custom_field() function seems to be the most appropriate place to add the escaping - @cproensa, what do you think ? |
|
One addition: I haven't discovered this myself, this was reported to me because I run a public mantis instance which is covered by a (non-payment) bug bounty. I just ask the finder if he wants to be publicly credited for this. |
|
Problem exists since refactoring of filter display in Mantis 2.1.0 (see 0021935) |
|
Finder of the vulnerability is Jaime Andrés Restrepo, please credit him accordingly when publishing an update + security advisory. |
|
CVE request 938519 sent |
|
CVE-2020-16266 assigned. |
|
MantisBT: master 9ef8f23a 2020-06-22 02:55 Details Diff |
Fix XSS in view_all_bug_page.php (CVE-2020-16266) Hanno Boeck reported a stored cross-site scripting (XSS) vulnerability, originally discovered by Jaime Andres Restrepo. Improper escaping on view_all_bug_page.php allowed a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). Prevent the attack by properly escaping the custom field's contents before display. Fixes 0027056 |
Affected Issues 0027056 |
|
mod - core/filter_form_api.php | Diff File |